DSAccess no longer uses RPCs to perform Active Directory service discovery, however, it does use RPCs for other tasks. To disable these, see Configuring DSAccess for Perimeter Networks. However, IIS still uses RPCs to authenticate requests on the front-end server. Therefore, if you enable authentication on the front-end server (which is strongly recommended), it must be able to use RPCs. The recommended scenario is for the front-end to be behind the internal firewall, in which case this should not be a problem. However, if you must place your front-end server in a perimeter network, you must open certain RPC ports. For more information about opening RPC ports on the intranet firewall, see Configuring an Intranet Firewall.

This section applies if you place an Exchange front-end server in the perimeter network and do not allow RPC traffic across the internal firewall.

Corporations that have perimeter networks often restrict the type of traffic that passes from the perimeter network into the corporate intranet.

Without RPC access to Active Directory servers, the front-end server cannot authenticate clients. Therefore, features that require authentication on the front-end server (such as implicit logon and public folder tree load balancing) will not work. Public folder access is possible, but the front-end server cannot load-balance the requests because the front-end server cannot determine the identity of the user. Without the user's authentication token, the front-end server cannot perform the load balancing hashing algorithm. As a result, all anonymous requests for a public folder are routed to the same back-end server.

Note:

It is recommended that you use an advanced firewall server (such as ISA Server) rather than the front-end server in the perimeter network. For more information, see Advanced Firewall in a Perimeter Network.

Note:

IMAP and POP clients require SMTP for sending e-mail messages. If you do not allow RPC traffic across the internal firewall, you cannot run SMTP on the front-end server to support IMAP and POP clients because when RPC traffic is blocked, MSExchangeIS does not run on the front-end server. However, you can set up a separate server to perform SMTP functions for IMAP and POP clients.

If RPC ports are not allowed between the perimeter network and the corporate intranet, you must use pass-through authentication. With pass-through authentication, the front-end server passes requests to the back-end anonymously, and then the back-end server performs the authentication.